Blog

Since the Internet exploded by the massive amount of requests sent to me [maybe not so much or ‘zero’ counts as such] herewith, in instalments, just some loose ends, parts, of Carl von Clausewitz’ Vom Kriege…:
“Alle diese Theorieversuche sind nur in ihrem analytischen Teil als Fortschritte in dem Gebiet der Wahrheit zu betrachten, in dem synthetischen Teil aber, in ihren Vorschriften und Regeln, ganz unbrauchbar. Sie streben nach bestimmten Größen, während im Kriege alles unbestimmt ist und der Kalkül mit lauter veränderlichen Größen gemacht werden mußte. Sie richten die Betrachtung nur auf materielle Größen, während der ganze kriegerische Akt von geistigen Kräften und Wirkungen durchzogen ist. Sie betrachten nur die einseitige Tätigkeit, während der Krieg eine beständige
Wechselwirkung der gegenseitigen ist. Sie schließen das Genie von der Regel aus.”
i.e.,
“All these attempts at theory are only in their analytical part to be considered as progress in the province of truth; but in their synthetical part, in their precepts and rules, as quite unserviceable. They strive after determinate quantities, whilst in war all is undetermined, and the calculation has always to be made with purely varying quantities. They point the attention only upon material forces, while the whole military action is penetrated throughout by intelligent forces and their effects. They only pay regard to activity on one side, whilst war is a constant state of reciprocal action, the effects of which are mutual. ”

Which clearly, is Clausewitz’ position on latter-day claims of “AI” (quod non) as revealing some truths or theories that humans were too ignorant to detect; showing that they are statistical artifacts as long as no theory was driving the discovery, by deductive falsification attempts. Let alone that the world changes by the very application of the model…
But then, I might in theory take this too far. [Disclaimer: Yeah, yeah, I know for fact that I do; but not as far as your emotions would want so]

That was that. Onto the next itty bitty (incl polka dot) but first this:

[Battle yoga field; Bryant Park NT]

Too bad the ‘fraud triangle’ endures…
Despite having been torn; down or to pieces, or whatev’… and some handy pages helping you out. To see that when you use those words often, they may not mean what you think they mean … [anyone see the pleonasm in this page its title ..?]

My take:

The classical fraud triangle is presented as if all three factors may have to be present at any one (sic) time, to ‘have’ fraud committed. However, on even the slightliest closer inspection, one sees that this wasn’t in the original ideas. If you read the above first link, it will show that a. it was about social psychology; b. “for embezzlement to occur, there must be: 1) a non-sharable problem, 2) an opportunity for trust violation and 3) a set of rationalizations that define the behaviour as appropriate in a given situation. He [Sutherland, stealing (sic, ominously) from the inventor Donald Cressey … What 1. did he have to use his position (2.) and what 3. …? Oh of course, the 1. was pressure to publish and/or make a name; ed.] wrote that none of these elements alone would be sufficient to result in embezzlement; instead, all three elements must be present.“; c. it wasn’t about a triangle.

The fraud triangle is near-always brought to bare when ‘fraud’ is in play, which invariably makes the case be stolen (sic) by legalistically inclined pundits that know of no ‘intent’ or such vaguenesses but want to deal with Actions only as the thing to sue against since the law knows (forbids) no psychology only the results in action(s).

This is not totally wrong but leaves the vast majority of anti-fraud work on the table. Since so much about what one can ‘do’ against fraud and its opportunities, lie within the realms of both (sic) the psychological side of things, and the operational side. As will be depicted below: Those are the two sides. There aren’t three.

Practically, most current approaches use an ORM lens to focus on Opportunity — with a handful of side initiatives (one per global organisation …!) also taking ‘awareness’ or ‘motivation’ into some consideration.

And this ORM side is oh so often badly, very badly executed. Remember the atrocities of “3 Lines of Defence” of yesteryears …? Your children will not believe you ever believed in that sh.t. Yes it’s bad; the closer one gets to those that pipe dream of their authority received through pursuing the kindergarten ‘logic’ (not) of 3LoD crossed [wanted to say: ‘squared’, but proper application of that would be beyond comprehension to the followers, fellow travellers] with lack of clue about how meshes of control objectives and controls, are not effective at all. Improvements have been proposed, but are hardly even noticed.

A lot of time, a lot of insightful stuff regarding employees is apparently missed. Even when from a Master, who finds his masterpiece (among a number…) apparently ignored by the vast majority of the ones that should par excellence have memorised the messages from it. Which can most partially be summed up by the following:

and would include reference to:

plus, one could throw in a picture on Knowledge–Attitude–Behaviour–et al:

From which one can deduce [c’mon, it’s hardly hard ..!] that there’s much more to life than just rote work, robot-style “compliance” (quod non), and that you’d better know and use that others do care about more than your petty little behavioural expectations. They bring in the money, not you… (?)
By the way; the actors are ‘always’ present — at least their internals (as above) are, 24/7 so you better deal with that also on a somewhat more continuous basis than the annual let-the-secretary-click-the-right-answers-for-you online “training” thingy.

As if the stuff you have in pace, would or even could work. Dependent as you are on heat map reports … I need not say more on the subject than before, over and over again (apart from this link-summary) or dwell on the Controls issue that would take libraries to get out of your cargo cult systems [yes you are this primitive…!!]…, or it would be that there’s news in this town; a sort of Christmas gift move to the blindsided.
In short [not]: What you have today, in terms of risk management (or even only ~analysis) or ‘(sets of) controls’, is a shambles to put it as mildly as one can. Being ignored by the ‘1^st line’ for the actual RM1 and RM2 in particular, shows they see the folly of the whole 3LoD thinking with the fooly (sic yes I made that an expression by using it) of the 2^nd line above all. Just be happy you’re ignored, can continue to reap the budgets that you do [hint: any budget not well spent is a direct write-off loss so maybe not complain for not getting enough as you might poke up a sleeping bear…] and are tolerated for stupid-compliance reasons only.
And note that in the overall fraud threesome [the originals never made it a triangle, that was for those who didn’t quite ‘got it’ in order to impostorsyndrome themselves out of it with a Powerpoint pic avant la lettre], Opportunity seems to be something that normally isn’t there but suddenly presents itself. [Motivation and Rationalisation are apparently considered to be present for much longer, as they need ‘preparation time’ to mature to a usable (sic) level when called upon by the sudden appearance of the O.] Which is contrary to everyday business operations of course. Which is also where one would start to fix things but see that countering the psycho half (sicⁿ) is as much a part of daily ops [so, not ever project-based – though 15, 29 and 32 of this] as daily ‘controls’-compliance ops / ORM is.

What to do, then …?

1. 1. Do some serious (O)RM [almost all RM is O-RM ..!!], that on the Threat side deals, aside from Acts of Nature and Acts of Man – Unconscious/accidental-style, also with Acts of Man – opportunistic-threat stuff. Plus, includes the ‘risk management’ done at the Actor side (like here). And, works through a portfolio management framework like here. Even including this, preferably, to bring down resistance which so far is far from futile [or it wouldn’t have existed anymore; see how total-society-uprooting-threatening your current approaches by the responses seem to have been]. Realise, too, that each and every ‘control’ introduced, brings new vulnerabilities and maybe you’ve gone beyond the optimal already and create more vulns than you ‘solve’.
   2. Do all the things against the Actors, permanently. ‘Against’ as in: Not distrust everyone as Guilty until (like, never) proven innocent, but the other way around — facilitate freedom until your pension [a number of latter-day links to papers in/of e.g., HBR, McK (if one can still trust them now they’re so exposed as required-results-report-for-sale cheapos), Quartz, Longreads, Medium, Tilda et al bring a bit of news to this scene; study the definitive materials as they can help from Old School / 2^nd-Wave and counterculture-anarchy [not quite so much, if you study that link ..!!] organisational frameworks clashes to synthesis into the 3^rd Wave ideal form of the future mixing needs and freedom in suitable mixes].
      See, this should have been in place all along. Conclude that you brought about fraud by your own ‘leadership’ [don’t get me started on that oh now you did! See: I meant lack of…] of micromanagement which is your only resort when all else, like any true understanding of ‘management‘, wasn’t present. Also, take note of this, and realise that diverstity in your organisation doesn’t (only) increase diversity in threats but much more increases chances that deviations get noticed; if all eyes look at/for the same things they’ll miss most of the important (sic) deviations but when the focuses and angles differ, full coverage comes much closer much easier, automaticallier ;-/ just like two antimalware scanners cover more than one.
   3. Use all the new info you can get your hands on [for a start: the above links and where they lead you; should I add: in particular when off this blog…], and throw in some elaborate program on the quantitative side (Nassim Taleb, Vose, to name two ends to a scale) but also on the cultural side (these here couple of pundits (huh) provide a nice introduction and some links-from) — and continue to use the stuff you’ve interpreted from the above pics on how people work, internally. Let’s also include phrases like ‘Monte Carlo simulations, tornado charts et al.’; ‘AI/ML for modelling, visual-, text- and speech- semantical processing, prediction, and outlier detection’ in the mix. Any suggestions of what may be added here?

Anyway. Let’s just not talk of ‘fraud’ triangles ever again, ‘kay ..?

Now, finally, for your viewing pleasure:
[Strategy (which is execution, as in this) and detail a beautiful picture makes; Hilversum]

No, not fireworks.
Because of joining a reputable consultancy, I’ll be posting much less frequently from now on. This is more about saying Thanks for all your attention [and not for all your not so much, yes I keep track which at these slim-to-none figures is easy], so long and thanks for all the fish, and See You Soon.
[Edited to add: After just over six months, looks (and talk) had deceived … reputable turns out to also not being positive sometimes. This time, clearly. Over to Secura per 1 Sept]

[To construct more elaborate ideas and stories; Calatrava’s Science museum, Valencia]

OK, an integration of very old material with some new stuff:
The things from the past being about how, in frequent swirls of comments and rants against ‘middle’ managers, there were two responses from my side: 1. Yes, they are, often (I), of the worst kind and that qualification has no Dutch connotation involved here; 2. No, they’re valuable and have a serious, very serious role to play, if they play it right like often (II) happens. This sort of discussion you can read back through my posts here.

Sure, there was, and is, much to improve qua meddling management. Take for example the span of control … When well-balanced, there’s insufficient time/room to micro-manage (or the one doing it will burn out; Darwinian selection) and there’s no blow-out due to overstretch (him again).
Or take the many strands on Leadership on the one hand and Supportive, Facilitating Foremen on the other. Like, this recent piece, in a way [read hard and you’ll find the way by the way], or this even further-reaching vista.

Now, we’re all eagerly awaiting Kristel Thieme‘s follow-on posts …

The three together, would make quite a case for management in the right way, right ..?

Net up, the Spanish Inquisition. First, still:

[I’ve been told that fat back sides are still in fashion. Why …!?!? as they are ugly as s…; this, in Amsterdam harbour (6^th of Europe, still..?)]

A collection again of various viewpoints into one Idea [not to be pronounced like the construction kit company Eye-kja], in a collate-yourself fashion:

Part one, being yesterday’s post as here.
Coupled to, hey did I write it that early already how hopeful I was … this golden oldie.

And some quotexts:
Eric Hultgren stated in a post that “Its still amazing to me that most of our organizational rules and practices (eg. time reporting, hierarchical reporting, performance management, budgeting, vacation approval etc.) are based on that a few people would misbehave if rules and practices were not there. Would it not make more sense to have organizational rules and practices that would fit the absolute majority of the people instead?”
to which Jad Nohra commented: “When something seems amazing, it’s usually because there is a hidden reason which, when understood, makes it seem much less amazing. In this case:
No it’s not amazing, because the rules and practices are not written for the sake of any people in the organization, but sadly, they are written there mostly for the organization to be able to claim they have rules, and forward the blame to individuals in case of misbehavior. This is the main reason for these rules to exist.”
Which both is to be linked to the respective chapters of Bruce Schneier’s much too much overlooked work in this field.

In the end … most of you will go this or that.
Whatever …?? And:

[Odd, qua style, I’m unsure what to make of it – consistent, different, probably works for the inside and maybe the outside but overall? Utrecht Papendorp]

“Individuals can be ethical, groups not so much.” — as a conclusion of this insightful piece.
At which, immediately my Canetti and Ortega y Gasset antennas went off the charts.

And with the note of the ‘can’ in the above — not so much the petty little bureaucrats with their mostly mumbo-jumbo about cold fusion 3LoD farrago [yes just look that up will you]. They are too hopelessly caught up in their view to consider the im- or rather anti-moral ramifications of the wrong understanding of the idea.

Also rather, an onward discussion would involve solving the trolley problem and knowing-plus-beyond-that-understanding one’s own position anyway, as in this nifty test, brutally biased in utilitarianism. Yes, that’s a pejorative if ever there is one.

Still, I’d like to leave it here now with an even more positive note; hard but not impossible …:
Can we bridge the gap between semantic levels, i.e., grasp the jump from mere knowledge to understanding and insight, the jump from personal data to privacy, etc. ..? Noting that there’s aggregation at work (Ortega y G again) plus an interesting notion of ‘emergent properties‘. Unsure whether e.g., psychology/psychosociology/sociology [my browser spell (huh, ‘spelling’ but the abbreviation is better when dealing with browser ‘security’, eh?) checker intersects ‘psychopathology’, appropriately] would have some clear enough takes on that one ..! The jump from psycho to socio I mean.
If we can get a grip on these kinds of jumps, we for certain be able to build better brains — moving from plain ML to symbolic reasoning and vice versa or rather, in full brain-copying cooperation. Capice ..? Also, we’d better be able to do something about/with ethics.

After which:

[Time to pond(er); Alhambra Granada]

Recently, I floated the idea to use a portfolio approach to risk management its controls aspects, highlighting (positive or negative) correlations in their (positive or negative) effectiveness, individually and overall. This could be extended to include derivation of an optimal portfolio given a max of e.g., costs which must include the cost of harrassing your users with those controls, not possibly but most probably far outweighing the costs of controls-in-a-narrow-sense plus the benefits … But still, one could imagine some form of ‘efficient frontier‘ or so; including calculating the greeks. Yes I did graduate in Finance in the heydays of the Yuppies.

But I also had a long time ago (in an internet era far, far away; 2013) already, discussed the possibilities of better fighting of the kill chain (then, almost avant la lettre), through the use of cleverer controls, here (near the bottom of that one) in a matrix where the above userhinder could be reduced significantly. Probably through [haven’t digested this idea-that-came-while-typing-it fully yet] improving the portfolio by naturally limiting correlations, much improving inherent hedging that leads to a. a jump up in effectiveness, b. efficiency gains, c. easier acceptance by end users since security is more natural, more easy to maybe not even noticing to do the right thing.

Is there any grad student out there that needs to write a thesis / paper? Here’s your subject; I’d love to advise.
Others, may also comment please…

For the time being:

[Winter’s coming, do this it’s fun (and much harder than you think!!) no need to brace yourself (before…); Peterborough Curling Club]

As stated earlier, I believe, in the power of ‘AI’ – when driven from ‘the business’ side. The latter being so ill defined it hurts, a lot.
But nevertheless, take a Forbes article. Square that with the Accenture robotics approach. Then cube the lot with McKinsey’s insights.
Oh and a dose of this on organisational readiness to receive, also helps a lot.

There.

Four dimensions of the same. Possibly, some HBR can be thrown into the mix but already, you see that the bottom-up approach, which is valuable too here and there, can in fact be augmented, over-arched, with a more strategy-execution style program…
That should do it.

Oh also don’t forget: Mid-level, there is some solution in using a pipeline (like here! and here), but note that this, too, still a. requires Translators, b. is quite bottom-up, c. is at most mid-, project management level, d. has too little connection with program / project portfolio management to be deployed just like that. However necessary in your projects. Study both sides ..!

Leaving you with …:

[How a jumble still aligns, making the picture interesting; Zuid-As Amsterdam]

Since reinforcement learning is too broad a term… we’d better call it continued-in-deployment learning.
Back to the subject, being this CiDL. And how one would audit a system that uses, as one of its many (sic) parts, such a module. The weights change constantly, a little. By which point would one say that the system needs to be re-trained since the implementation ‘certification’ (huh) of e.g., unbiasedness determined once a long time ago, doesn’t apply anymore?

A couple of considerations:

• For sure (sic again), the unbias of yesterday is today’s societally unacceptable bias.
• [Shall we newspeak-change ‘bias’ to ‘prejudice’ ..? That does legally and practically capture better what’s at stake.]
• The cert will have to have a clause of validity at delivery time only, or be a fraud.
• Have we similar issues already, with other ‘algorithms’..? Yes we do. As explained here.
• Since, between the lines, you read there the connection to ‘Dev(Sec)Ops’… That, similar to scrummy stuff, should be no problem to audit nowadays, or … check on your engagement checklist: You do not have the prerequisite knowledge let alone understanding period
• So, how do you audit DevOps developments, for e.g., continued ‘existence’ of controls once devised? How could you not also audit ML performance (vis-à-vis criteria set before training started, in terms of error rates etc.etc.etc. ..?) to see that it remains within a certain bandwidth of accuracy and that’s enough ..? The bandwidth being the remain-materially-compliant-with(in)-controls of other algo levels.
• Side note: How do you today ‘audit’ human performance on manual execution of procedures i.e., algorithms ..??

That’s all for now; details may follow (or not; IP has several meanings…).
Leaving you with:

[Designed for Total Compliance; one of the Big-4’s offices, Zuid-As Amsterdam]

Tinkering with the ideas for IRM/ORM to tackle the post heat map world. The one that emerges once all the one’s out there take the truth seriously, which would lead to:

And for the nay-(not…)sayers this post to illuminate the destructive cling-to-failure-mode thinking of many still, in RM.
After which there is still tons of stuff to manage in the IRM/ORM arena [the difference set between those, shrinks fast ..!]. Risk registers cut it as little, slim-to-none, as the heat map fallacies.

Triggered among others by this illuminating post by Graeme Keith that almost matter-of-factly outlines a portfolio approach to operational risks that can be used in so many places, much better than the common list of risks.

Since, e.g., the portfolio approach better suits the complexity of interactions, i.e., correlations, between threats, controls and control weaknesses (including interactions between them, and every control creates its own extra (sic) set of vulnerabilities, etc.), and vulnerabilities in all sorts of non-linear (sic) ways.
And also, this picks up on the (other) strand of ‘quantitative as far as that goes’ of this, this and this posts. The latter being an illustrative example of the vicious circles of ever complexicating methodological troubles that characterise end-of-times thinking in wrong (dead-end alley) directions.

For now, I’ll let you have fun digesting the above. Just remember: Portfolios are the Future ..!
And:

[But it is Art; Tate Modern many years ago]